Skip site navigation (1) Skip section navigation (2)

Re: SSL connection failure

From: "David Patricola" <david(dot)patricola(at)jefferson(dot)edu>
To: "'rsmogura'" <rsmogura(at)softperience(dot)eu>
Cc: "'Maciek Sakrejda'" <msakrejda(at)truviso(dot)com>, <pgsql-jdbc(at)postgresql(dot)org>
Subject: Re: SSL connection failure
Date: 2011-04-04 17:06:30
Message-ID: 7BE7960B50AE4B178D64C2E579EA1F57@tjumst.jefferson.edu (view raw or flat)
Thread:
Lists: pgsql-jdbc
Actually, I just had to add in server.crt into the default keystore.  My
problem was the IP address I had in the certificate didn't match the
hostname of the calling server.  Changing the IP to the hostname did the
trick.

-----Original Message-----
From: pgsql-jdbc-owner(at)postgresql(dot)org
[mailto:pgsql-jdbc-owner(at)postgresql(dot)org] On Behalf Of rsmogura
Sent: Monday, April 04, 2011 6:19 AM
To: David Patricola
Cc: 'Maciek Sakrejda'; pgsql-jdbc(at)postgresql(dot)org
Subject: Re: [JDBC] SSL connection failure

 On Thu, 31 Mar 2011 11:36:34 -0400, David Patricola wrote:
> I got a much better error message finally!  ColdFusion's debug output
> provided me with a much better message.  The lines that say "unable 
> to find
> valid certification path to requested target" are the biggest help, 
> but I'm
> importing server.crt into the default cacerts file under
> E:\Jrun4\jre\lib\security, so is there some configuration I'm 
> missing?
>
>
> 
>
===========================================================================
> org.postgresql.util.PSQLException: The connection attempt failed.
> 	at
> 
>
org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFa
> ctoryImpl.java:136)
> 	at
> 
>
org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:
> 65)
> 	at
> 
>
org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.
> java:116)
> 	at
> 
>
org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.
> java:30)
> 	at
> org.postgresql.jdbc3.Jdbc3Connection.<init>(Jdbc3Connection.java:24)
> 	at org.postgresql.Driver.makeConnection(Driver.java:369)
> 	at org.postgresql.Driver.connect(Driver.java:245)
> 	at
> 
>
coldfusion.server.j2ee.sql.pool.JDBCPool.createPhysicalConnection(JDBCPool.j
> ava:589)
> 	at
> 
>
coldfusion.server.j2ee.sql.pool.ConnectionRunner$RunnableConnection.run(Conn
> ectionRunner.java:67)
> 	at java.lang.Thread.run(Thread.java:619)
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to 
> find
> valid certification path to requested target
> 	at
> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
> 	at
> 
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
> 	at
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
> 	at
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
> 	at
> 
>
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandsh
> aker.java:975)
> 	at
> 
>
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshake
> r.java:123)
> 	at
> 
> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
> 	at
> 
>
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
> 	at
> 
>
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884
> )
> 	at
> 
>
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocket
> Impl.java:1096)
> 	at
> 
>
com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:62
> 3)
> 	at
> 
>
com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
> 	at
> 
> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
> 	at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
> 	at org.postgresql.core.PGStream.flush(PGStream.java:532)
> 	at
> 
>
org.postgresql.core.v3.ConnectionFactoryImpl.sendStartupPacket(ConnectionFac
> toryImpl.java:243)
> 	at
> 
>
org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFa
> ctoryImpl.java:91)
> 	... 9 more
> Caused by: sun.security.validator.ValidatorException: PKIX path 
> building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: 
> unable
> to find valid certification path to requested target
> 	at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
> 	at
> 
>
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
> 	at sun.security.validator.Validator.validate(Validator.java:218)
> 	at
> 
>
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerI
> mpl.java:126)
> 	at
> 
>
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509Tru
> stManagerImpl.java:209)
> 	at
> 
>
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509Tru
> stManagerImpl.java:249)
> 	at
> 
>
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandsh
> aker.java:954)
> 	... 21 more
> Caused by: 
> sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> 	at
> 
>
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBui
> lder.java:174)
> 	at
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
> 	at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
> 	... 27 more
>
> -----Original Message-----
> From: Maciek Sakrejda [mailto:msakrejda(at)truviso(dot)com]
> Sent: Wednesday, March 30, 2011 4:55 PM
> To: David Patricola
> Cc: pgsql-jdbc(at)postgresql(dot)org
> Subject: Re: [JDBC] SSL connection failure
>
>> After restarting java services, I retest the datasource connection
>> (jdbc:postgresql://x.x.x.x/main?ssl) and get the fail message
>> "org.postgresql.util.PSQLException: The connection attempt failed." 
>> with
> no
>> details in any logs to provide details.  The connection works 
>> without ssl
>> fine.
>
> In addition to Dave's suggetion, have you configured driver-level
> logging to check what's going on there? See loglevel connection
> parameter and DriverManager.setLogWriter().
>
> ---
> Maciek Sakrejda | System Architect | Truviso
>
> 1065 E. Hillsdale Blvd., Suite 215
> Foster City, CA 94404
> (650) 242-3500 Main
> www.truviso.com

 Hi,

 I think it's not PG JDBC driver problem, I found such URL parameter 
 that may help sslfactory=org.postgresql.ssl.NonValidatingFactory (if it 
 doesn't changed), but in addition I would like to give You some other 
 hints:
 1. If You run driver in server environment then system keystore may not 
 be enough. Actually, common servers like Tomcat, or Glassfish provides 
 its own keystore and castore located somewhere in server directory, much 
 more this store may not be standard, desktop JKS keystore, but NSS 
 keystore, and importing certs there requires other tools.
 2. You need to put certificate as trusted, and/or if certificate has 
 parent(s), then all those should be trusted, too.
 3. Sometimes You need to provide keystore/truststore password by adding 
 -D system property to JVM launch path, not all servers gives ability to 
 open keystore by using SSL sockets.

 Regards,
 Radoslaw Smogura
 http://softperience.eu


In response to

pgsql-jdbc by date

Next:From: Radosław SmoguraDate: 2011-04-04 19:14:14
Subject: Re: JDBC gripe list
Previous:From: Valentine GogichashviliDate: 2011-04-04 11:32:27
Subject: Re: GIT [was Re: JDK1.7 support]

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group